<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>File-based user authentication | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'file-realm.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/file-realm.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/file-realm.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/file-realm.html" rel="nofollow" target="_blank">../en/file-realm.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="setting-up-authentication.html">User authentication</a></span>
»
<span class="breadcrumb-node">File-based user authentication</span>
</div>
<div class="navheader">
<span class="prev">
<a href="active-directory-realm.html">« Active Directory user authentication</a>
</span>
<span class="next">
<a href="ldap-realm.html">LDAP user authentication »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="file-realm"></a>File-based user authentication<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/file-realm.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>You can manage and authenticate users with the built-in <code class="literal">file</code> realm.
With the <code class="literal">file</code> realm, users are defined in local files on each node in the cluster.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>As the administrator of the cluster, it is your responsibility to
ensure the same users are defined on every node in the cluster. The Elastic Stack
security features do not deliver any mechanism to guarantee this. You should
also be aware that you cannot add or manage users in the <code class="literal">file</code> realm via the
<a class="xref" href="security-api.html#security-user-apis" title="Users">user APIs</a> and you cannot add or manage them in Kibana on the
<span class="strong strong"><strong>Management / Security / Users</strong></span> page</p>
</div>
</div>
<p>The <code class="literal">file</code> realm is very useful as a fallback or recovery realm. For example in cases where
the cluster is unresponsive or the security index is unavailable, or when you forget the
password for your administrative users.
In this type of scenario, the <code class="literal">file</code> realm is a convenient way out - you can
define a new <code class="literal">admin</code> user in the <code class="literal">file</code> realm and use it to log in and reset the
credentials of all other users.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>When you configure realms in <code class="literal">elasticsearch.yml</code>, only the realms you
specify are used for authentication. To use the <code class="literal">file</code> realm you must explicitly
include it in the realm chain. While it is possible to define multiple instances
of some other realms, you can define only <em>one</em> file realm per node.</p>
</div>
</div>
<p>To define users, the security features provide the
<a href="users-command.html" class="ulink" target="_top">users</a> command-line tool. This tool enables you to add
and remove users, assign user roles, and manage user passwords.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="file-realm-configuration"></a>Configuring a file realm<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/file-realm.asciidoc">edit</a>
</h3>
</div></div></div>
<p>All the data about the users for the <code class="literal">file</code> realm is stored in two files on each
node in the cluster: <code class="literal">users</code> and <code class="literal">users_roles</code>. Both files are located in
<code class="literal">ES_PATH_CONF</code> and are read on startup.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>The <code class="literal">users</code> and <code class="literal">users_roles</code> files are managed locally by the node and are
<span class="strong strong"><strong>not</strong></span> managed globally by the cluster. This means that with a typical
multi-node cluster, the exact same changes need to be applied on each and every
node in the cluster.</p>
<p>A safer approach would be to apply the change on one of the nodes and have the
files distributed or copied to all other nodes in the cluster (either manually
or using a configuration management system such as Puppet or Chef).</p>
</div>
</div>
<p>The <code class="literal">file</code> realm is added to the realm chain by default. You don’t need to
explicitly configure a <code class="literal">file</code> realm.</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>(Optional) Add a realm configuration to <code class="literal">elasticsearch.yml</code> under the
<code class="literal">xpack.security.authc.realms.file</code> namespace. At a minimum, you must set
the realm’s <code class="literal">order</code> attribute.</p>
<p>For example, the following snippet shows a <code class="literal">file</code> realm configuration that sets
the <code class="literal">order</code> to zero so the realm is checked first:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack:
  security:
    authc:
      realms:
        file:
          file1:
            order: 0</pre>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>You can configure only one file realm on Elasticsearch nodes.</p>
</div>
</div>
</li>
<li class="listitem">
Restart Elasticsearch.
</li>
<li class="listitem">
<p>Add user information to the <code class="literal">ES_PATH_CONF/users</code> file on each node in the
cluster.</p>
<p>The <code class="literal">users</code> file stores all the users and their passwords. Each line in the file
represents a single user entry consisting of the username and <span class="strong strong"><strong>hashed</strong></span> and <span class="strong strong"><strong>salted</strong></span> password.</p>
<div class="pre_wrapper lang-bash">
<pre class="programlisting prettyprint lang-bash">rdeniro:$2a$10$BBJ/ILiyJ1eBTYoRKxkqbuDEdYECplvxnqQ47uiowE7yGqvCEgj9W
alpacino:$2a$10$cNwHnElYiMYZ/T3K4PvzGeJ1KbpXZp2PfoQD.gfaVdImnHOwIuBKS
jacknich:{PBKDF2}50000$z1CLJt0MEFjkIK5iEfgvfnA6xq7lF25uasspsTKSo5Q=$XxCVLbaKDimOdyWgLCLJiyoiWpA/XDMe/xtVgn1r5Sg=</pre>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>To limit exposure to credential theft and mitigate credential compromise,
the file realm stores passwords and caches user credentials according to
security best practices. By default, a hashed version of user credentials
is stored in memory, using a salted <code class="literal">sha-256</code> hash algorithm and a hashed
version of passwords is stored on disk salted and hashed with the <code class="literal">bcrypt</code>
hash algorithm. To use different hash algorithms, see <a class="xref" href="security-settings.html#hashing-settings" title="User cache and password hash algorithms">User cache and password hash algorithms</a>.</p>
</div>
</div>
<p>While it is possible to modify the <code class="literal">users</code> files directly using any standard text
editor, we strongly recommend using the <a class="xref" href="users-command.html" title="elasticsearch-users"><em>elasticsearch-users</em></a> tool to apply the
required changes.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>As the administrator of the cluster, it is your responsibility to
            ensure the same users are defined on every node in the cluster.
            The Elasticsearch security features do not deliver any mechanisms to
            guarantee this.</p>
</div>
</div>
</li>
<li class="listitem">
<p>Add role information to the <code class="literal">ES_PATH_CONF/users_roles</code> file on each node
in the cluster.</p>
<p>The <code class="literal">users_roles</code> file stores the roles associated with the users. For example:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">admin:rdeniro
power_user:alpacino,jacknich
user:jacknich</pre>
</div>
<p>Each row maps a role to a comma-separated list of all the users that are
associated with that role.</p>
<p>You can use the <a class="xref" href="users-command.html" title="elasticsearch-users"><em>elasticsearch-users</em></a> tool to update this file. You must ensure that
the same changes are made on every node in the cluster.</p>
</li>
<li class="listitem">
<p>(Optional) Change how often the <code class="literal">users</code> and <code class="literal">users_roles</code> files are checked.</p>
<p>By default, Elasticsearch checks these files for changes every 5 seconds. You can
change this default behavior by changing the <code class="literal">resource.reload.interval.high</code>
setting in the <code class="literal">elasticsearch.yml</code> file (as this is a common setting in Elasticsearch,
changing its value may effect other schedules in the system).</p>
</li>
</ol>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="active-directory-realm.html">« Active Directory user authentication</a>
</span>
<span class="next">
<a href="ldap-realm.html">LDAP user authentication »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>